search

micromatch / braces

Faster brace expansion for node.js. Besides being faster, braces is not subject to DoS attacks like minimatch, is more accurate, and has more complete support for Bash 4.3.
https://github.com/jonschlinkert
MIT License
207 stars 47 forks source link

Update snapdragon #18

Closed ddollar closed 5 years ago

ddollar commented 5 years ago

The version used (0.8) has a dependency with a vulnerability (debug)

https://nvd.nist.gov/vuln/detail/CVE-2017-16137

jonschlinkert commented 5 years ago

Since people are financially incentivized to find and create those vulnerability reports, we'll need to have more information than this. Please also describe:

And any other information that can shed some light on why we should take action.

ddollar commented 5 years ago

I don't have much context other than that Github is pinging me about a vulnerability in my app. Tracked it down to nodemon which uses snapdragon which uses braces.

jonschlinkert commented 5 years ago

Ok, I believe this is the referenced issue: https://github.com/visionmedia/debug/issues/501.

ckoutsiaris commented 5 years ago

I am getting alerts from github about mixin-deep vulnerability and it looks like they can be resolved with a snapdragon update in braces.

screenshot 2018-11-07 at 14 04 13

screenshot 2018-11-07 at 14 01 19

denjaland commented 5 years ago

Any progress on this one? I'm getting the same report now...

└─┬ laravel-mix@3.0.0 └─┬ chokidar@2.0.4 └─┬ braces@2.3.2 └─┬ snapdragon@0.8.1 └─┬ base@0.11.2 └── mixin-deep@1.3.0

simevo commented 5 years ago

this was already requested by #13

jonschlinkert commented 5 years ago

I am getting alerts from github about mixin-deep vulnerability and it looks like they can be resolved with a snapdragon update in braces.

This is not a vulnerability, and even if it was it's not possible for it to manifest in braces. Closing in favor of a PR. All unit tests must pass, as well as regression and integration tests in downstream libraries.